What the Fastest-Growing AI Agent Teaches Us About Security We Don't Have

In late January 2026, an open-source AI agent called OpenClaw went from a few hundred GitHub stars to over 145,000 in under two months---one of the fastest-growing repositories in GitHub history. The agent can read your emails, manage your calendar, execute terminal commands, modify system files, control your browser, and run scheduled automations on your behalf; it is, by design, the most privileged piece of software on your machine. Within 72 hours of widespread adoption, security researchers had found 42,665 publicly exposed instances, a critical one-click remote code execution vulnerability scoring 8.8 on the CVSS scale, and active malware campaigns targeting the tool's configuration directories. Every major cybersecurity vendor responded---CrowdStrike, Palo Alto Networks, Cisco, Trend Micro, Snyk, Wiz---all publishing advisories within days.

Palo Alto Networks called it "the potential biggest insider threat of 2026." Cisco called it "an absolute nightmare."

The creator's own admission: "I was just like, vibe coding on my phone."

This is not a story about one buggy project. OpenClaw is the first large-scale demonstration of what happens when autonomous AI agents meet enterprise security; the speed gap between adoption velocity and security response is not a fixable bug. It is a structural problem.

From Clawdbot to Catastrophe

November 2025. Peter Steinberger---Austrian software engineer, founder of PSPDFKit, which received a EUR 100 million strategic investment from Insight Partners---publishes an open-source AI assistant called Clawdbot. A few hundred stars. A side project built with heavy AI assistance, using what Steinberger calls "ambient programming"---sometimes shipping code he has never personally read.

Late January, Clawdbot goes viral. Tens of thousands of GitHub stars within days; the novelty of a self-hosted AI agent that executes tasks through messaging platforms draws developers and hackers alike.

Then Anthropic sends a trademark complaint. The name "Clawd" sounds too much like "Claude." Steinberger renames the project to Moltbot on January 27. The Streisand effect kicks in; 91,000 additional stars within 72 hours. Same day: a fake "ClawdBot Agent" VS Code extension drops a trojan on Windows machines. The real team never published a VS Code extension. Attackers claimed the name first.

January 28---Moltbook launches. A social network for AI agents. Over 150,000 agents register within days; the platform eventually grows to 1.5 million agents backed by roughly 17,000 human owners---an 88:1 ratio.

January 29---another rename, Moltbot to OpenClaw, because "Moltbot never quite rolled off the tongue." Each name change creates fresh impersonation opportunities; Malwarebytes documents the campaigns launching after each rebrand.

January 30---the CVE-2026-25253 patch ships. January 31---Wiz discovers that the Moltbook database is wide open. 1.5 million API keys, 35,000 emails, 4.75 million total records exposed. Root cause: a Supabase API key in client-side JavaScript with no Row Level Security enabled.

By early February, the avalanche. 341 malicious skills found by Koi Security. 283 credential-leaking skills found by Snyk---7.1% of the marketplace. Belgium issues a national warning. The Register calls it a "security dumpster fire."

Ten days. Three names. A cascade of failures that security researchers are still cataloging.